Code Review / so.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: d18c3bb)
Fixing XML parsers security bug 30/122330/1
authorwaqas.ikram <waqas.ikram@est.tech>
Tue, 29 Jun 2021 10:02:30 +0000 (11:02 +0100)
committerwaqas.ikram <waqas.ikram@est.tech>
Tue, 29 Jun 2021 10:07:24 +0000 (11:07 +0100)
Change-Id: I6c25dd87f393bbeca016a651d68afa11e60f3d94
Issue-ID: SO-3662
Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java patch | blob | history

diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java
index 31da330..44d3947 100644 (file)
--- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java
+++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java
@@ -24,9 +24,11 @@ package org.onap.so.adapters.tasks.orchestration;
 
 import java.io.ByteArrayInputStream;
 import java.io.StringReader;
+import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXB;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -66,6 +68,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+import org.w3c.dom.Document;
 import com.woorea.openstack.heat.model.Stack;
 
 @Component
@@ -73,6 +76,8 @@ public class PollService extends ExternalTaskUtils {
 
     private static final Logger logger = LoggerFactory.getLogger(PollService.class);
 
+    private static final String EMPTY_STRING = "";
+
     @Autowired
     private MsoVnfAdapterImpl vnfAdapterImpl;
 
@@ -318,14 +323,16 @@ public class PollService extends ExternalTaskUtils {
         success.setTrue();
     }
 
-    protected Optional<String> findRequestType(String xmlString) {
+    protected Optional<String> findRequestType(final String xmlString) {
         try {
-            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-            DocumentBuilder builder = factory.newDocumentBuilder();
-            org.w3c.dom.Document doc;
-            doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8")));
+            final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, EMPTY_STRING);
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, EMPTY_STRING);
+
+            final DocumentBuilder builder = factory.newDocumentBuilder();
+            final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8)));
             return Optional.of(doc.getDocumentElement().getNodeName());
-        } catch (Exception e) {
+        } catch (final Exception e) {
             logger.error("Error Finding Request Type", e);
             return Optional.empty();
         }
Service Orchestrator